The latest NIST (United States National Institute for Standards and Technology) guidelines on password policies recommend a minimum of 8 characters. Perhaps more interesting is what they recommend against. They recommend against allowing password hints, requiring the password to contain certain characters (like numeric digits or upper-case characters), using knowledge-based authentication (e.g., what is your mother's maiden name?), using SMS (Short Message Service) for two-factor authentication, or expiring passwords after some amount of time. They also provide recommendations on how password data should be stored.
[Ed. Note: Contrary to common practice, I would advocate reading the entire linked article so we can have an informed discussion on the many recommendations in the proposal. What has been your experience with password policies? Do the recommendations rectify problems you have seen? Is it reasonable to expect average users to follow the recommendations? What have they left out?]
(Score: 2) by edIII on Saturday August 20 2016, @01:11AM
Funny thing is, I used a calculator. Still should have sanity checked the value, but I was writing the post while also sysadmin'n ;) Please be gentle...
Thank you very much for checking the math. I certainly fat fingered the 96 ^ 9 for sure. I saw an exponent of 72 instead of 17. Go figure.
Can you check that again? :D
I got 7.29 * 10 ^ 26 [duckduckgo.com].
I think it's contagious. You're welcome.....
P.S - Also interesting to note that an average person with 15,000 word vocabulary is only about 1 order of magnitude less than Shakespeare. I keep feeling that there really is a loss of keyspace because words literally do reduce the keyspace away from just random letters. That's why I feel adding the numbers in there and shifting the words in between them significantly increases keyspace.
Technically, lunchtime is at any moment. It's just a wave function.